d4fd4ec...
by
Willem de Bruijn <email address hidden>
udp: consistently apply ufo or fragmentation
CVE-2017-1000112
When iteratively building a UDP datagram with MSG_MORE and that
datagram exceeds MTU, consistently choose UFO or fragmentation.
Once skb_is_gso, always apply ufo. Conversely, once a datagram is
split across multiple skbs, do not consider ufo.
Sendpage already maintains the first invariant, only add the second.
IPv6 does not have a sendpage implementation to modify.
A gso skb must have a partial checksum, do not follow sk_no_check_tx
in udp_send_skb.
Found by syzkaller.
Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
Reported-by: Andrey Konovalov <email address hidden>
Signed-off-by: Willem de Bruijn <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa)
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
4eec68f...
by
Willem de Bruijn <email address hidden>
packet: fix tp_reserve race in packet_set_ring
CVE-2017-1000111
Updates to tp_reserve can race with reads of the field in
packet_set_ring. Avoid this by holding the socket lock during
updates in setsockopt PACKET_RESERVE.
This bug was discovered by syzkaller.
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Reported-by: Andrey Konovalov <email address hidden>
Signed-off-by: Willem de Bruijn <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
(cherry picked from c27927e372f0785f3303e8fad94b85945e2c97b7)
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
Currently, when the tty is hungup, the ldisc is re-instanced; ie., the
current instance is destroyed and a new instance is created. The purpose
of this design was to guarantee a valid, open ldisc for the lifetime of
the tty.
However, now that tty buffers are owned by and have lifetime equivalent
to the tty_port (since v3.10), any data received immediately after the
ldisc is re-instanced may cause continued driver i/o operations
concurrently with the driver's hangup() operation. For drivers that
shutdown h/w on hangup, this is unexpected and usually bad. For example,
the serial core may free the xmit buffer page concurrently with an
in-progress write() operation (triggered by echo).
With the existing stable and robust ldisc reference handling, the
cleaned-up tty_reopen(), the straggling unsafe ldisc use cleaned up, and
the preparation to properly handle a NULL tty->ldisc, the ldisc instance
can be destroyed and only re-instanced when the tty is re-opened.
If the tty was opened as /dev/console or /dev/tty0, the original behavior
of re-instancing the ldisc is retained (the 'reinit' parameter to
tty_ldisc_hangup() is true). This is required since those file descriptors
are never hungup.
This patch has neglible impact on userspace; the tty file_operations ptr
is changed to point to the hungup file operations _before_ the ldisc
instance is destroyed, so only racing file operations might now retrieve
a NULL ldisc reference (which is simply handled as if the hungup file
operation had been called instead -- see "tty: Prepare for destroying
line discipline on hangup").
This resolves a long-standing FIXME and several crash reports.
Signed-off-by: Peter Hurley <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
(cherry picked from commit 892d1fa7eaaed9d3c04954cb140c34ebc3393932)
Signed-off-by: Kamal Mostafa <email address hidden>
Acked-by: Marcelo Cerri <email address hidden>
Acked-by: Benjamin M Romer <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
At tty hangup, the line discipline instance is reinitialized by
closing the current ldisc instance and opening a new instance.
This operation is complicated by error recovery: if the attempt
to reinit the current line discipline fails, the line discipline
is reset to N_TTY (which should not but can fail).
Re-purpose tty_ldisc_reinit() to return a valid, open line discipline
instance, or otherwise, an error.
Signed-off-by: Peter Hurley <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
(cherry picked from commit 7896f30d6fc602f02198999acca4840620288990)
Signed-off-by: Kamal Mostafa <email address hidden>
Acked-by: Marcelo Cerri <email address hidden>
Acked-by: Benjamin M Romer <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
tty->ldisc is a ptr to struct tty_ldisc, but unfortunately 'ldisc' is
also used as a parameter or local name to refer to the line discipline
index value (ie, N_TTY, N_GSM, etc.); instead prefer the name used
by the line discipline registration/ref counting functions.
Signed-off-by: Peter Hurley <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
(cherry picked from commit c12da96f801a3f45b0634c966b9e7cda307daa72)
Signed-off-by: Kamal Mostafa <email address hidden>
Acked-by: Marcelo Cerri <email address hidden>
Acked-by: Benjamin M Romer <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
In preparation for destroying the line discipline instance on hangup,
move tty_ldisc_kill() to eliminate needless forward declarations.
No functional change.
Signed-off-by: Peter Hurley <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
(cherry picked from commit 6ffeb4b2782b31f3d7158795a451ad371955e8a2)
Signed-off-by: Kamal Mostafa <email address hidden>
Acked-by: Marcelo Cerri <email address hidden>
Acked-by: Benjamin M Romer <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
After the ldisc is released, but before the tty is destroyed, the termios
is saved (in tty_free_termios()); this termios is restored if a new
tty is created on next open(). However, the line discipline is always
reset, which is not obvious in the current method. Instead, reset
as part of the restore.
Restore the original line discipline, which may not have been N_TTY.
Signed-off-by: Peter Hurley <email address hidden>
Signed-off-by: Greg Kroah-Hartman <email address hidden>
(cherry picked from commit ece53405a1f8ddf60b78e1365addcad521b2c93f)
Signed-off-by: Kamal Mostafa <email address hidden>
Acked-by: Marcelo Cerri <email address hidden>
Acked-by: Benjamin M Romer <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
